[Cloudflare One] Add known limitations to MCP server portals#30615
Open
kennyj42 wants to merge 2 commits intocloudflare:productionfrom
Open
[Cloudflare One] Add known limitations to MCP server portals#30615kennyj42 wants to merge 2 commits intocloudflare:productionfrom
kennyj42 wants to merge 2 commits intocloudflare:productionfrom
Conversation
ranbel
reviewed
May 5, 2026
|
|
||
| MCP server portals have the following known limitations: | ||
|
|
||
| - **Only remote HTTP MCP servers are supported.** MCP servers that use stdio transport only (for example, `github/github-mcp-server`) do not expose a remote HTTP endpoint and cannot be added to an MCP server portal. To use a stdio-only server, you must self-host it behind an HTTP endpoint and authenticate with [custom headers](#add-an-mcp-server). |
Contributor
There was a problem hiding this comment.
Suggested change
| - **Only remote HTTP MCP servers are supported.** MCP servers that use stdio transport only (for example, `github/github-mcp-server`) do not expose a remote HTTP endpoint and cannot be added to an MCP server portal. To use a stdio-only server, you must self-host it behind an HTTP endpoint and authenticate with [custom headers](#add-an-mcp-server). | |
| - **Only remote HTTP MCP servers are supported.** MCP servers that use [stdio transport only](https://modelcontextprotocol.io/specification/2025-11-25/basic/transports) (for example, `github/github-mcp-server`) do not expose a remote HTTP endpoint and cannot be added to an MCP server portal. To use a stdio-only server, you must self-host it behind an HTTP endpoint and authenticate with [custom headers](#add-an-mcp-server). |
ranbel
reviewed
May 5, 2026
|
|
||
| - **Some MCP servers block proxy-based clients.** Certain MCP servers reject requests from proxy-based clients like MCP server portals, returning a `403` error on the registration endpoint. These servers are not compatible with MCP server portals until those providers add Cloudflare as a supported MCP client. | ||
|
|
||
| - **Not all MCP servers support OAuth dynamic client registration.** MCP servers that do not support OAuth dynamic client registration cannot use the portal's OAuth authentication flow. For these servers, select **Custom Headers** as the authentication method and provide static credentials (for example, API keys or personal access tokens) instead. |
Contributor
There was a problem hiding this comment.
Suggested change
| - **Not all MCP servers support OAuth dynamic client registration.** MCP servers that do not support OAuth dynamic client registration cannot use the portal's OAuth authentication flow. For these servers, select **Custom Headers** as the authentication method and provide static credentials (for example, API keys or personal access tokens) instead. | |
| - **Not all MCP servers support OAuth dynamic client registration.** MCP servers that do not support [OAuth dynamic client registration](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#dynamic-client-registration) cannot use the portal's OAuth authentication flow. For these servers, select **Custom Headers** as the authentication method and provide static credentials (for example, API keys or personal access tokens) instead. |
Clarified the limitations of MCP servers regarding OAuth dynamic client registration and provided details on using shared bearer tokens.
ranbel
reviewed
May 5, 2026
|
|
||
| MCP server portals have the following known limitations: | ||
|
|
||
| - **Only remote HTTP MCP servers are supported.** MCP servers that use stdio transport only (for example, `github/github-mcp-server`) do not expose a remote HTTP endpoint and cannot be added to an MCP server portal. To use a stdio-only server, you must self-host it behind an HTTP endpoint and authenticate with [custom headers](#add-an-mcp-server). |
Contributor
There was a problem hiding this comment.
#add-an-mcp-server does not currently have any info on how to authenticate with custom headers...
ranbel
reviewed
May 5, 2026
|
|
||
| - **Some MCP servers block proxy-based clients.** Certain MCP servers reject requests from proxy-based clients like MCP server portals, returning a `403` error on the registration endpoint. These servers are not compatible with MCP server portals until those providers add Cloudflare as a supported MCP client. | ||
|
|
||
| - **Not all MCP servers support OAuth dynamic client registration.** MCP servers that do not support OAuth dynamic client registration cannot use the portal's OAuth authentication flow. For these servers, you may upload a shared bearer token via the [api](https://developers.cloudflare.com/api/resources/zero_trust/subresources/access/subresources/ai_controls/subresources/mcp/subresources/servers/methods/create#(resource)%20zero_trust.access.ai_controls.mcp.servers%20%3E%20(method)%20create%20%3E%20(params)%200%20%3E%20(param)%20auth_type%20%3E%20(schema)). Static OAuth or per user bearer tokens are not yet supported. |
Contributor
There was a problem hiding this comment.
Can we include an API example showing how to "upload a shared bearer token"?
Contributor
There was a problem hiding this comment.
also what does this auth flow look like from the end user perspective?
Contributor
Author
There was a problem hiding this comment.
bearer token auth will be transparent to the user. Since they all leverage the same admin auth token. It's not a very preferrable option for that reason.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary